CIO Insights and Analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Behavior Patterns That Can Indicate an Insider Threat

Improvements in technology have made it easier for public and private sector organizations to identify the behavioral patterns that may indicate a malicious insider threat, but technology is just one component of an overall insider threat program.

Insider threats are seldom impulsive acts. Employees wishing to harm a current or former employer, business partner, or client—whether by stealing trade or government secrets, sabotaging information systems, or even opening fire on colleagues—usually plan their actions. Some wish to get revenge against an organization they believe wronged them. Others seek some kind of personal or financial gain, or to point out a perceived injustice. Still others may operate as spies for a foreign government. Regardless of their motivation, their plans often percolate for weeks, months, or even years before they act. Recent revelations about a member of the U.S. intelligence community leaking national security documents has once again put public and private sector organizations on alert to insider threats.

“Insiders move along a continuum from idea to action,” says Michael Gelles, a director with Deloitte Consulting LLP and a former chief psychologist for the Naval Criminal Investigative Service (NCIS). “They don’t wake up one morning and decide to exploit confidential information. They get an idea, ruminate, and then begin testing the waters to see if they can execute the idea—maybe by trying to access sensitive data or a secure facility.”

As insiders move along the idea-to-action continuum, they leave evidence, no matter how hard they may try to cover their tracks. Red flags frequently take the form of changes in attitude or behavior: The insider may grow frustrated or disgruntled, begin violating corporate policies, come in or stay late at the office, show “undue interest” in information that may not be relevant to their work, or attempt to access physical areas where they don’t typically—or shouldn’t—work, according to Gelles.

To detect insiders’ actions before they do harm, Gelles advises organizations to establish a series of threat indicators, such as policy violations, job performance difficulties, or disregard for rules, based on high-value assets they wish to protect. For example, potential indicators that a rogue software developer appears likely to steal his company’s source code may include a vengeful attitude, isolation from co-workers, accessing the system on which the source code is stored during off-hours, and a bad performance rating. (An employee with a bad ranking who believes he’s going to lose his job may try to steal intellectual property that could help him land a job with a competitor or start his own company.) Manufacturers seeking to safeguard new product designs may keep an eye out for insiders trying to access or download those plans, traveling to countries where intellectual property theft is prevalent, sending emails with large attachments, and/or experiencing financial difficulty.

“There’s no (psychological) profile for an insider,” says Gelles. “An individual’s personality isn’t nearly as important as their actions. That said, you’re not looking for a specific behavior, but a pattern of behaviors that may indicate a potential insider threat.”

With insider threat indicators established, companies can then begin to collect and correlate virtual and nonvirtual data about employees, according to Gelles. Virtual data refers to the digital trails employees leave when they log on and off the corporate network, access systems, download or print documents, send email, and use the Web. Nonvirtual data includes information about an individual’s role in an organization, performance ratings, compliance with corporate policies, and work habits (such as the times of day they start and stop working, the people they typically interact with, and their physical movement throughout an office).

Gelles has analyzed a variety of insider threat detection tools that use advanced analytics to correlate virtual and nonvirtual data. Even though these systems are first-generation, he notes, they’re capable of integrating disparate data sources and analyzing structured and unstructured information.

Keith Brogan, a senior manager with Deloitte & Touche LLP’s Cyber Risk Services practice, says many of these systems work by establishing and maintaining a baseline for “normal” or “typical” employee behavior and tracking deviations from it. For example, if during the course of a day a financial securities trader calls a competitor in addition to his normal client base, attempts to badge into the investment research area of his company’s business (a policy violation), and executes a trade outside the rules he’s allowed to trade within (another policy violation), the system will raise an alert for follow-up. “These systems include rules and logic that establish thresholds for risk indicators, and release an alert when those thresholds are exceeded,” he says.

While today’s insider threat monitoring systems may be effective, Gelles cautions organizations against relying solely on technology to mitigate insider threats. Instead, he suggests they institute an insider threat program that defines the assets a company wants to protect; establishes policies, procedures, controls, and training designed to protect those assets; and brings together stakeholders and data owners from a variety of functions, including HR, legal, compliance, finance, and administration.

“Correlating peoplecentric data over time can allow organizations to identify threats that might otherwise go undetected and stop a malicious insider’s forward progress,” says Gelles. “But without full participation from leadership, CIOs and CISOs may have trouble getting the data required to build that pattern of precursors that may indicate a potential insider threat.”

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.